Tech

Friday, 16 December 2011

Power Grid Cybersecurity: Who's In Charge?

A country or region's power supply is a juicy target for cyberattack, especially if it's made part of a larger assault. Is the United States' grid adequately protected? Studies on the matter have raised serious doubts. Millions of new communicating electronic devices could introduce new options for attack that may result in anything from loss of control over grid devices to loss of communications.

CCybersecurity experts have been murmuring for some time that the United States' power supply is open to cyberattacks.

"If someone were to think about attacking another nation, the first thing they'd do is take out the power grid, since it's the hub around which other infrastructure spokes revolve," Patrick Miller, president and CEO of the National Electric Sector Cybersecurity Organization (NESCO), told TechNewsWorld.

An MIT study released recently by MIT seems to be bringing matters to a head.

Among other things, the report calls for the establishment of one organization to head cybersecurity efforts for the U.S. power infrastructure. It states that, essentially, there are far too many organizations overseeing different aspects of power supply cybersecurity.

The report followed news in early November that someone had hacked into a small water-utility serving Springfield, Ill., from Russia.

Too Much Information

Advances in technology such as new so-called smart meters utilities have contributed to the cybersecurity mess dogging America's power supply.

Millions of new communicating electronic devices, from automated meters to synchrophasors, will introduce new options for attack that could result in anything from loss of control over grid devices to loss of communications between utilities or control centers, or even blackouts, the MIT study found.

Over the next 20 years, the growth of data flowing through grid communications networks will far exceed that of electricity flowing through the grid in percentage terms, the study said. In other words, if the amount of electricity grows by x percent, the amount of data would be a multiple of x.

Many Hands Don't Make Light Work

Another part of the problem is that nobody's in charge.

Two bills, S. 1342 and H.R. 5026, were introduced in Congress, the report states.

Both propose a single agency to oversee cybersecurity for the electric power system. However, the Obama administration seems to want to put Homeland Security in charge, while Congress is opting for the Department of Energy and the Federal Energy Regulatory Commission.

Although the two sets of standards may not overlap substantially because of their different areas of focus, their very existence might create confusion. The Federal Communications Commission has identified the potential for conflict between the CIP and other standards and said the resulting ambiguity was slowing utilities' decision making and deployment of new technologies.

Responsibility Without Authority

Further, standards-setting organizations such as NIST don't have the muscle to ensure adherence to their recommendations.

"NIST was legislatively given responsibility for coordinating the development of standards but does not have regulatory or operational authority," Jerrold Grochow, a research affiliate with the MIT Energy Initiative, which conducted the study on cybersecurity in the nation's power system, told TechNewsWorld.

There Can Only Be One

"We believe that what is most important is that it be made clear that some agency is in charge across all aspects of the grid, including the bulk power system, currently regulated by FERC, and the investor-owned distribution system, which includes cooperative and municipal distribution systems, currently regulated by individual state public utility commissions," MIT's Grochow said.

Improving cybersecurity will "require a coordinated approach to standards and regulation across all aspects of this increasingly interconnected grid," Grochow cautioned.

The confusion may be exacerbated by internecine disputes.

An audit earlier this year by the DoE inspector-general criticized FERC for approving CIP standards that didn't contain commonly used security practices and adopted a poor approach to implementation, the MIT study asserted.

What About SCADA?

Another important part of the power infrastructure -- supervisory control and data acquisition (SCADA) control systems -- is often ignored in conversations about cybersecurity.

As a rule, SCADA systems tend not to be protected.

"This is just an area of industry that simply had not experienced the level of scrutiny that, say, makers of desktop applications or operating systems had faced, so they had never created a process or internal dedicated teams to deal with the issue," Parveen Jain, CEO ofRedSeal Networks, told TechNewsWorld.

"When it came to protecting clients in a number of instances, the advice from vendors was to unplug the SCADA solution from anything connected to the Internet or any public network," Jain added.

Things are changing for the better, partly because of growing pressure from regulators. Still, "it's a big problem where you have old systems, sometimes unresponsive vendors, limited resources and yet [a technology that's] a tremendous source of risk to almost everyone," Jain stated.

Few in the power-generation industry really understand supervisory control and data acquisition (SCADA) control systems, Joseph Weiss, managing partner at Applied Control Solutions, who's an expert on control systems security, told TechNewsWorld.

"We don't have enough people who even know what the problem is," Weiss explained. "How the heck can we have a plan when we don't know what the problem is?"